Skip navigation
All Places > Products > RSA SecurID Access > Blog > Author: Nathan Furze

RSA SecurID Access

13 Posts authored by: Nathan Furze Employee

Seamless access to RSA My Page for self-service

To help make it easier for end users to enroll and manage their RSA Authenticate App we have enabled single-sign-on (SSO) support to RSA My Page from an external IDP.  In addition, you can also add your company logo for display during self-service.  These two features will allow seamless access for end users and provide a consistent user-branded experience.  

 

 

Important: Upcoming Cloud Authentication Service IP Address Changes

To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will be changing in September 2019. Your deployment must be able to connect to both new and old IP addresses in September 2019.

 

RSA recommends that you start planning with your organization now to make the necessary changes to connect to these new IP addresses. If you do not update your firewall rules with the new IP addresses, your identity routers will not be able to contact the Cloud Authentication Service and services will be disrupted. For details, see Notice of Upcoming Cloud Authentication Service IP Address Changes.

 

For further details on all the new and updated capabilities of the June release, please refer to the Release Notes here:  RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App 

 

All these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

Don't miss our upcoming June product webinar tomorrow - June 12th at 11 am EST.    More details here on the webinar content and registration details - Don't Miss Our Upcoming June Product Webinar  

 

As always we will record this session and post the replay back to RSA SecurID Access:  All Access Granted 

Improved visibility into identity confidence scores, thresholds and categories

To help improve understanding of the identity confidence attribute scoring and behavior we have added new events (25001, 25002) to User Event Monitor Messages for the Cloud Authentication Service  that show the authentication event score, thresholds for high or low confidence and the relative scores for device, location and behavior categories.  Additional details can be found under “Reporting a User’s Identity Confidence Score,” here - Condition Attributes for Access Policies .

 

Find out what is coming with monthly product webinars

If you haven’t already done so – check out RSA SecurID Access:  All Access Granted  to register for monthly product webinars.   You can also find recordings of the April and May webinars for demos of features in our May and upcoming June releases.

 

Important: Upcoming Cloud Authentication Service IP Address Changes

To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will be changing in August 2019. Your deployment must be able to connect to both new and old IP addresses in August 2019.

 

RSA recommends that you start planning with your organization now to make the necessary changes to connect to these new IP addresses. If you do not update your firewall rules with the new IP addresses, your identity routers will not be able to contact the Cloud Authentication Service and services will be disrupted. For details, see Schedule for Planned Changes to Cloud Authentication Service IP Addresses (March 2020) 

 

Release Notes

For further details on all the new and updated capabilities of the May release, please refer to the Release Notes here:  RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App  

 

This enhancement makes RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

Improved RSA Authenticate app security with email notifications

To help increase security, new or deleted RSA Authenticate apps, can trigger an email notification to the end user.  This enables end users to know if an impostor has tried to register or delete a device with their identity.  

 

Pagination for RADIUS Profiles in the Cloud Administration Console

Pagination now makes it easier to manage multiple RADIUS profiles. In the Cloud Administration Console, you can choose to display 10, 20, or 30 profiles associated with a client on the RADIUS Profiles page. Expand each profile to see details, dissociate, or delete the profile. Profiles disappear from the list when you dissociate or delete them. For instructions on configuring RADIUS profiles, see Configure a RADIUS Profile for the Cloud Authentication Service .

 

Register for our new Monthly Product Webinar!

Don’t forget to register for one of our upcoming product webinars - RSA SecurID Access:  All Access Granted 

 

For further details on all the new and updated capabilities of the April release, please refer to the Release Notes here:  

RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App  

 

All of these enhancements make RSA SecurID Access and even more convenient, pervasive and intelligent solution for your authentication needs.

   We are happy to announce the launch of the RSA SecurID Access:  All Access Granted private space for RSA SecurID Access customers and partners.  The goal of the All Access Granted space is to allow customers and partners an inside look at:

 

  • Product strategy
  • Introduction to new product features
  • Review innovation concepts and demos
  • Product insights from RSA Experts

 

We understand that as identity administrators, you are on the forefront of managing identity and digital risk, and your time is important.  If you can’t make one of the scheduled monthly webinars we will also post a replay recording to this space following each webinar.  In addition to the monthly product webinars we will also be posting content from some of RSA’s many identity experts. 

 

If you haven’t already done so, please go to RSA SecurID Access:  All Access Granted  register for upcoming webinars and click follow in the upper right hand corner, so you are notified when new content has been posted. 

 

Our first product webinar is scheduled for Wednesday, April 24, 2019 @ 11:00 AM EST.  Don't miss it!  

Advanced Mobile Authentication for Citrix Storefront

We are happy to announce the release of the RSA Authentication Agent v2.0 for Citrix StoreFront. The Citrix Storefront agent is authentication software that provides Citrix StoreFront with a seamless authentication experience and additional mobile authentication methods for users inside and outside of the corporate firewall. For more details please refer to the Release Notes.

The March release for the RSA SecurID® Access Cloud Authentication Service is now available.

This month’s release contains the following features:

Reduce Digital Risk with Threat-Aware Authentication

Threat-aware authentication allows you to control whether high risk users are allowed to access protected resources or if these users must authenticate at a higher assurance level than other users. Users might be identified as high risk because their accounts have been compromised, or because a third-party security information and event management (SIEM) solution, such as RSA NetWitness, has found suspicious activity. Additional details can be found here - Drive Intelligent Access Decisions with Identity Insights and Threat Context to Reduce Digital Risk  

Enhanced Policy Support for Multiple RADIUS Profiles

To accomodate the varied levels of privilege and policy across RADIUS clients, such as firewalls, VPN and others, RSA SecurID Access now supports multiple RADIUS profile configurations.  You will be able to create custom RADIUS profiles that specify an access policy rule set to identify which users can authenticate through the clients associated with the profile. You will be able to associate multiple profiles with a single client, or the same profiles with multiple clients. More details on how to leverage multiple RADIUS profiles can be found here - Multiple RADIUS Profiles Provide Policy-Driven Granular Control 

Improved Visualization of the Identity Router for Simplified Management

This release introduces improved visualization of the identity router status in the administrators cloud console to more quickly understand the root cause of any issues.  Additional details can be found here - Troubleshooting Identity Router issues made easier  

Improved Identity Router Troubleshooting

We have added capabilities to enabled debug logging on the identity router before it has connected to the clouds service. Previously you had to connect the identity router to the cloud service before you could enabled debugging. Additional details can be found here - Enhanced Troubleshooting Before You Connect to the Cloud 

Add Users to the Cloud When You Need Them

Just-in-time user provisioning will sync the user to the cloud, at the time of first authentication, if they are in scope for the service. This allows new users to use the service even if they have not previously been synchronized to the cloud We have enabled “just-in-time provisioning” by default for all new RSA SecurID Access customers. Existing customers will need to navigate to turn on just-in-time synchronization before they can leverage the feature. Additional details can be found here - Add Users to the Cloud Only When you Need Them 

Updated Support for FIDO2

We are adding support for FIDO2 hardware tokens which use public/private key cryptography.  FIDO2 can be used for step-up authentication as part of conditional Policy to get access to web applications using Chrome, FireFox and Edge browsers. We continues to allow in-line registration and management for this authenticator. RSA continues to evaluate FIDO as a convenient and secure way to authenticate. FIDO2 hardware tokens are now supported on more browsers (including mobile browsers). A full list of supported browsers can be found here - Cloud Authentication Service User Requirements

Role permissions for select administrator API commands

To ensure correct API role permissions – when you generate an administrator API key you will have to select either the helpdesk or super administrator role for that key. Some REST APIs will be limited only to the super administrator role. A full list of REST APIs can be found here - Manage the Cloud Administration API Keys 

For further details on all the new and updated capabilities of the March release, please refer to the Release Notes here:

RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App 

 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

Threat Aware Authentication

In the March 2019 release of the RSA SecurID Access cloud authentication service we are happy to announce the release of Threat Aware Authentication with RSA SecurID Access (RSA® Extends Evolved SIEM Capabilities to Reduce Digital Risk with Expanded Analytics and Enables Threat Aware Authentic… ).  Threat Aware Authentication takes an innovative approach by detecting anomalous activity with RSA NetWitness Platform, leveraging advanced machine learning, and then feeding actionable insights into RSA SecurID Access. RSA SecurID Access leverages this threat intelligence, along with business context and identity insights, in real time to trigger additional authentication when the risk is high. This empowers security teams with continuous authentication as an automated out-of-the-box workflow to reduce the number of alerts that might block genuine user activity and to elevate critical alerts with higher probability of being malicious.

 

Managing Digital Risk

When RSA SecurID Access is informed of high-risk activity, whether the user was in an active session that was disconnected or is about to log into an application, it will take the threat intelligence into account in the policy assessment to determine the action. For example, if the information indicates that the risk is high, this will impact the current identity assurance, which is the confidence that the user is who they claim to be. Additional authentication will be triggered. When users need to authenticate, they can use a broad variety of modern, mobile optimized authentication options such as push to approve, biometric authentication (fingerprint and face), one-time passcodes (OTPs) and SMS, as well as software and hardware tokens, leveraging strong authentication to power identity assurance. If RSA NetWitness determines that the suspicious activity is persistent and more sophisticated remediation is required, the RSA SecurID Access policy will block the user from accessing the application.

 

Trust Elevated

This release includes new APIs to add, remove and view users on the high-risk user list as well as a new policy attribute - Determining Access Requirements for High-Risk Users in the Cloud Authentication Service .  The high-risk user attribute is a binary attribute that can be included in policies to raise the level of authentication or block access to applications.  The power of the policy attribute allows you to either apply a one-size fits all implementation or differentiate the policy action based contextual factors.  Is the application too sensitive to allow any authentication from someone on the high-risk user list?  Is the risk mitigated if the user provides additional authentication factors? Threat-Aware Authentication empowers the Identity team to automate incident-response procedures, leveraging strong, multi-factor authentication, elevating trust instead of blocking users, and reduces digital risk with RSA SecurID Access.

In the March 2019 RSA SecurID Access cloud authentication service release we have enabled “just-in-time provisioning” by default for all new RSA SecurID Access customers.  Just-in-time user provisioning will sync the user to the cloud, at the time of first authentication, if they are in scope for the service.  This allows new users to use the service even if they have not previously been synchronized to the cloud.  This also allows organizations to add identities to the cloud only when they are needed rather than syncing your entire user population to the cloud.  Existing customers will need to navigate to ‘My Account > Customer Settings > Company Information ‘ and turn on just-in-time synchronization before they can leverage the feature.   Additional details can be found here - Configure Company Information and Certificates 

 

 

During the second half of 2018 the product team wanted to hear from our listening posts viz. customers, partners, and our field team around improving overall customer experience when it comes to RSA SecurID Access product installation and configuration. Your valuable feedback helped us refine that into Top 10 areas where we should focus our efforts. One such area was to improve troubleshooting and managing of Identity Routers (IDR) during POCs, production deployments and post-production upgrades.

 

We heard and acted upon your feedback!  The upcoming March 2019 full stack release we have introduced 13 new indicators that will help streamline your troubleshooting efforts around identity router. The Status Indicators feature also enables more simplicity in managing some IDR functions through the Cloud administration console.

 

Some of the key challenges that these status indicators will help you narrow down are

  1. Clock drift issues between the cloud and the Identity router that creates SAML assertion challenges
  2. Identity source serves are unreachable or down due to various reasons
  3. Your users are not able to authenticate using SecurID HW or SW tokens due to connectivity issues between on-premise RSA Authentication Manager and the identity router
  4. Your publish operations are failing
  5. Handle issues when IDR is stuck or takes longer than usual while upgrading. The new status indicators help you identify if the potential issue is due to errors while downloading RPM’s and libraries from the cloud repository OR while downloading adapters from the cloud repository

 

As always, we are open to hearing from you on innovative ways of making your day to day work easier related to managing and troubleshooting Identity Router.  To find out more about this feature, check out the product documentation here - View Identity Router Status in the Cloud Administration Console

We are happy to announce, in the March 2019 Cloud Authentication Service, that you can now use the Identity Router Setup Console to enable SSH and debug logging for in-depth troubleshooting of the identity router when it is unable to connect to the Cloud Authentication Service.  Enabling SSH in the Identity Router Setup Console provides the same functionality as enabling SSH in the Cloud Administration Console with one exception. In the Cloud Administration Console, you can limit connectivity to the identity router by specifying source networks in the SSH firewall rule. In the Identity Router Setup Console, any network component can access the identity router when you enable SSH. Because of this, enable emergency SSH only for a specified period of time and then disable it. 

   The published SSH firewall setting in the Cloud Administration Console overrides the SSH setting in the Identity Router Setup Console. For example, suppose an administrator enables emergency SSH in the Identity Router Setup Console. Then another administrator removes the SSH firewall setting on the identity router in the Cloud Administration Console and publishes the changes. The Identity Router Setup Console disables emergency SSH.  Additionally If you change and save the Log Level setting in the Cloud Administration Console, the change overwrites this setting in the Identity Router Setup Console.  For more details on this feature - check out the product documentation here - Troubleshooting Identity Router Issues 

The February release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. See below for this month’s key updates.

 

Monitor Current and Historic Cloud Availability

This month, we are publishing a web page where customers can learn the current status of the Cloud Authentication Service (CAS) and recent history - Monitor Uptime Status for the Cloud Authentication Service 

This page allows you to:

  • Check current service availability
  • View recent uptime percentage
  • View historical uptime percentage

The page displays a list of services. The embedded URL identifies which services belong to your company.

In addition, the Cloud Administration Health Check API  enables customers to access this information from their own monitoring applications, to incorporate the cloud authentication service status into their overall enterprise visibility.

 

Improved Availability with Global Disaster Recovery Sites

To help assure the highest availability, RSA maintains a disaster recovery environment for the Cloud Authentication Service across all regions. When the Cloud Authentication Service environment becomes unavailable for any reason, your deployment automatically switches to the disaster recovery environment. Please reference the release notes below and the set up documentation, for directions on how to test your configuration to ensure it can reach the alternate site when needed.


Go here for more details: 
Test Access to Cloud Authentication Service 

Streamlining mobile application registration using AppConfig

For customers using enterprise mobile management tools (EMM) that support the industry “AppConfig” standard (info here), the RSA SecurID Authenticate app can now interface with those tools during registration.  Specifically, information from the EMM can be used to pre-populate the Authenticate application, streamlining and simplifying the device registration process for end users, and also making the process more secure since the registration information used in controlled. 

 

Go here for more details:  Deploying the RSA SecurID Authenticate App in EMM Environment 

 

For further details on all the new and updated capabilities of the February release, please refer to the Release Notes here:RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App  

 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

In the recent What's New in RSA SecurID® Access?  we are excited to announce the release of the RSA SecurID Access Log Events API to retrieve administrator and user event logs from the RSA SecurID Cloud Authentication Service.  You can use the Log Events REST API to import the log events into your security information and event management (SIEM) solution, such as RSA NetWitness, to ensure security and audit compliance. 

 

For more information on this feature – please check out this additional content.

 

In case you missed this announcement from the Gartner IAM Summit:

 

RSA Expands Its Technology Ecosystem to Transform Authentication 

RSA® SecurID® Access software will interoperate with CyberArk Privileged Account Security Solution, Microsoft Windows Hello, Palo Alto Networks Next-Generation Firewall and VMware Workspace ONE™

 

Integration Guides for each of these partnerships can be found in our RSA Ready program page. 

 

Nathan

Filter Blog